===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.04.06.1439
Remediating Microsoft Exchange
6 April 2021
===========================================================================
DESCRIPTION: An adversary can exploit this vulnerability to compromise your
network and steal information, encrypt data for ransom, or even execute a destructive attack
Note: ZMCIRT will update this web page as we have further guidance to impart.
VULNERABILITY: CVE-2021-26855
OTHER VULNERABILITIES: CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
TECHNICAL DETAILS:
1. CVE-2021-26855 also known as Proxylogon, is a server-side request forgery (SSRF)
vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF).
This would also allow the attacker to gain access to mailboxes and read sensitive information.
2. CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote execution.
FOR NON IT/SECURITY STAFF (Updated March 24, 2021)
Microsoft released an automated tool that covers portions of the
detection and patching processes. The tool is intended for Microsoft
Exchange customers who do not have dedicated security or IT teams
to apply the security updates. The tool mitigates CVE-2021-26855
and is not a replacement for the Exchange security update but is the
fastest and easiest way to mitigate the highest risks to internet-connected,
on-premises Exchange Servers prior to patching.
REQUIREMENTS TO RUN THE EXCHANGE ON-PREMISES MITIGATION (EOMT) TOOL
• External Internet Connection from your Exchange server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module).
• PowerShell script must be run as Administrator.
SYSTEM REQUIREMENTS
• PowerShell 3 or later
• IIS 7.5 and later
• Exchange 2013, 2016, or 2019
• Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
WHO SHOULD RUN THE EXCHANGE ON-PREMISES MITIGATION (EOMT) TOOL
Run EOMT tool:
• If no patch or mitigation actions have been undertaken
• If mitigation actions from Microsoft have been undertaken e.g. Blog post,
Exchangemitigations.Ps1, etc.
• If patch was applied but no investigation of potential
adversary activity, Indicators of Compromise (IOC) has been undertaken.
Note: If you have already patched and investigated your system for Indicators
of Compromise (IOC), adversary activity, etc., you do not need to use the tool.
TEMPORAL MITIGATION STRATEGIES:
1. Read One-Click Microsoft Exchange On-Premises Tool
2. Download the tool.
• Go to the tool.
• In the READ.ME.md section, from the table, download the ‘EOMT’ script.
3. Determine if your server is vulnerable, mitigate if vulnerable, and run MSERT in quick scan mode.
If the server is not vulnerable only MSERT quick scan will run. To run a quick MSERT scan:
.\EOMT.ps1
4. This option is only recommend if the initial quick scan (step 3) discovered threats.
The full scan may take hours or days to complete. To run a Full MSERT Scan:
.\EOMT.ps1 -RunFullScan –DoNotRunMitigation
5. To roll back the Exchange On-premises Mitigation Tool (EOMT) mitigations
.\EOMT.ps1 –Rollbackmitigation
Note: If ExchangeMitigations.ps1 was used previously to apply mitigations, Use ExchangeMitigations.ps1 for rollback.
FIX: Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
FOR IT/SECURITY STAFF:
HOW TO KNOW IF YOU’VE BEEN COMPROMISED:
1. Read Microsoft Advisory
2. CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:
• These logs are located in the following directory:
%PROGRAMFILES%MicrosoftExchange ServerV15LoggingHttpProxy
• Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of:
ServerInfo~*/*
• Here is an example PowerShell command to find these log entries:
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILESMicrosoftExchange ServerV15LoggingHttpProxy" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent
• If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. These logs are located in the:
%PROGRAMFILES%MicrosoftExchange ServerV15Logging directory.
3. CVE-2021-26858 exploitation can be detected via the Exchange log files:
• The Exchange log files:
C:Program FilesMicrosoftExchange ServerV15LoggingOABGeneratorLog
• Files should only be downloaded to the: %PROGRAMFILES%MicrosoftExchange ServerV15ClientAccessOABTemp directory
• In case of exploitation, files are downloaded to other directories (UNC or local paths)
• Windows command to search for potential exploitation:
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%MicrosoftExchange ServerV15LoggingOABGeneratorLog*.log"
4. CVE-2021-26857 exploitation can be detected via the Windows Application event logs.
• Exploitation of this deserialization bug will create Application events with the following properties:
Source: MSExchange Unified Messaging
EntryType: Error
Event Message Contains: System.InvalidCastException
• The following is PowerShell command to query the Application Event Log for these log entries:
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }
5. CVE-2021-27065 exploitation can be detected via the following Exchange log files:
• The Exchange log files:
C:Program FilesMicrosoftExchange ServerV15LoggingECPServer
• All Set-VirtualDirectory properties should never contain script.
• InternalUrl and ExternalUrl should only be valid Uris.
• The following is a PowerShell command to search for potential exploitation:
Select-String -Path "$env:PROGRAMFILESMicrosoftExchange ServerV15LoggingECPServer*.log" -Pattern 'Set-.+VirtualDirectory'
The script to scan Exchange log files is available at: https://github.com/microsoft/CSS-Exchange/tree/main/Security
6. Look into webshells associated with this activity, by reviewing Malware Analysis Reports (MARs) including:
• AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
• AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
• AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
• AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
• AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
• AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
• AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell
TEMPORAL MITIGATION STRATEGIES: make use of temporal mitigation strategies
including Microsoft’s alternative mitigations
FIX: Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: incidents@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT